Google’s Threat Analysis Group (TAG) warned “multiple” people that APT31 (also known as Judgment Panda and Zirconium) was after their sensitive information, and that the phishing attacks were successfully blocked in their email services.
"In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government," Google Threat Analysis Group's Director Shane Huntley noted.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
Not linked to Ukraine
"Today, we sent those people who were targeted, government-backed attacker warnings. We don't have any evidence to suggest that this campaign was related to the current war in Ukraine."
Earlier this week, TAG also warned of Russian, Belarusian, and Chinese threat actors targeting Ukrainian and European government and military organization endpoints with “widespread” phishing and Distributed Denial of Service (DDoS) attacks.
"Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter," Huntley said in the report.
Huntley added that it’s hard to determine whether or not the attacks have anything to do with the situation in Ukraine.
Since 2012, Google has been sending out notifications to affected customers, whenever it spots attacks using infrastructure known to be linked to state-sponsored threat actors.
BleepingComputer reminds that Google TAG security engineer Ajax Bash announced the company sent out some 50,000 of these alerts last year. Of that number, almost a third (15,000) were linked to APT28, a threat actor that allegedly has strong ties to Russia’s General Staff Main Intelligence Directorate (GRU).
The last time APT31 made headlines, it was spotted targeting Russian-based organizations with phishing, after which it would distribute never-before-seen malware.
Daniil Koloskov, Senior Threat Analysis Specialist at Positive Technologies observed at the time, that the APT31 was particularly cunning in developing and deploying the malware. Not only did it employ various detection avoiding techniques, but it also self-destructed after accomplishing its goals, wiping all traces of the files and registry keys it created.
“In order to make the malicious library look like the original version, they named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll,” said Koloskov.
- Here's our rundown of the best secure email providers right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.